FTC Proposes New Rules on Children’s Online Privacy Issues

On August 1, 2012, the Federal Trade Commission announced that is issuing a Supplemental Notice of Proposed Rulemaking to modify certain of its rules under the Children’s Online Privacy Protection Act (COPPA). Industry has been waiting on FTC action regarding COPPA, as the agency previously undertook a COPPA rulemaking in September 2011 and proposed modifying certain COPPA rules to account for changes in technology, particularly mobile technology.

The FTC received over 350 comments during that time. After reviewing those comments, the FTC has decided to propose certain additional changes to its COPPA rule definitions.

In summary, COPPA gives parents control over the information websites can collect from their kids. It applies to websites designed for children under 13 – or those that have reason to know they are collecting information from a child. It requires a specific privacy notice and that consent be obtained from parents in many circumstances before children’s information may be collected and/or used.

The FTC has proposed several changes that are of interest. Some are meant to “tighten” the COPPA rule, others are meant to provide some additional flexibility to operators.

The proposed change would make clear that an operator that chooses to integrate the services of third parties that collect personal information from visitors (like ad networks or plug-ins) would itself be considered a covered “operator” under the Rule.

The FTC is also proposing to allow websites with mixed audiences (e.g., parents and over 13) to age-screen visitors to provide COPPA’s protections only to those under 13. However, kid-directed sites or services that knowingly target under-13s as their primary audience or whose overall content is likely to attract kids under that age could not use that method.

Also, the FTC has proposed modifying the definition of what constitutes “personal information” relating to children to make it clear that a persistent identifier falls within that definition if it can be used to recognize a user over time or across different sites or services. The FTC is considering whether activities like site maintenance and analysis, use of persistent identifiers for authenticating users, maintaining user preferences, serving contextual ads, and protecting against fraud and theft should not be considered the collection of “personal information” as long what’s collected is not used or disclosed to contact a specific individual, including through the use of behaviorally-targeted advertising.

Comments on the FTC’s proposed rule changes are due by September 10, 2012.